{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 SAY GOODBYE 的问题《Binding tab-specific data to an HTTP GET request》','https://www.manongdao.com/q-459118.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to implement an authentication mechanism where each browser tab may be logged in as a different user.
Here are the rules of this system:
- An authentication token indicates which user is logged in.
- There are 2 kinds of authentication tokens: private and public.
- Each private token is bound to a single tab and determines its account information.
- The public token may be read/written to by any tab and indicates the last account that was logged into (across all tabs).
- When a user logs out in any tab, both the private and public tokens are removed.
- Each time a tab hits a page that requires authentication, the system tries reading the private token. If it is not set (as in the case of a new/blank tab), it tries copying the value of the public token into the private token. If the public token is not set then the user is redirected to an authentication screen.
- When a tab is already logged in and a user clicks on a link, the request must include the private token in a custom HTTP header. Sending this information in the URI is not an option, for security reasons.
- Ability to navigate using the back/forward button the same as you would for normal links (meaning, no prompts to re-submit form data).
What I've tried so far:
Using
cookiesfor both the private and public tokens: this doesn't work because the server has no way of knowing which cookie to look in. If a user clicks on a link from inside a tab, the request sends all cookies across all tabs and the server has no way of knowing which one clicked on the link.Storing private tokens in
sessionStorage: This doesn't work because when a user clicks on a link, there is no way to specify custom headers that should be sent alongside the HTTP GET request.Requesting the page using AJAX, then navigating to the page in memory using Data URIs: For security reasons, Internet Explorer doesn't allow the use of DATA URIs for HTML content. See http://msdn.microsoft.com/en-us/library/cc848897%28v=vs.85%29.aspx
Using
<form method="get" enctype="multipart/form-data">and passing the token using hidden fields: enctype="multipart/form-data" is only supported for POST.Using
<form method="post" enctype="multipart/form-data">and passing the token using hidden fields: in theory, this should work but now the user gets prompted to re-submit form data if he uses the back/forward button.Requesting the page using AJAX, then rewriting the current page using
document.open(); document.write(); document.close(). I tried both https://stackoverflow.com/a/4404659/14731 and http://forums.mozillazine.org/viewtopic.php?p=5767285&sid=d6a5a2e8e311598cdbad124e277e0f52#p5767285 and in both cases the scripts in the new<head>block never gets executed.
Any ideas?
Okay, after going through many different iterations, here is the implementation we ended up with:
Variables
publicToken,nextTabId.privateToken,tabId.publicToken, privateToken
publicTokenis the token returned by the last login operation, across all tabs.privateTokenis the token returned by the last login operation of the current tab.tabId
tabId.nextTabIdis a number that is accessible across all tabs.nextTabIdand increments its value.tabIdcould have a value of "com.company.TabX" whereXis the number returned bynextTabId.Login/Logout
privateTokenandpublicTokenare overwritten using the authentication token returned by the server.privateTokenandpublicTokenon the browser side, andprivateTokenon the server side. We do not deletepublicTokenon the server side.privateTokenwill get logged out as well. Any tabs using a different token will be unaffected.privateToken? When you open a link in a new window or tab, it inherits theprivateTokenof the parent tab.publicTokenon the server, a tab logging out withprivateTokenX,publicTokenY would cause tabs withprivateTokenY to get logged out (which is undesirable).On page load
tabIdquery parameter to the URL. The parameter value is equal to the value oftabId.tabIdURL parameter from the current page using history.replaceState() so users can share links with their friends (tabIdis user-specific and cannot be shared).tabIdcookie (more on this below).When a link is clicked
tabIdcookie and follows the link.tabIdand a value equal to the value ofprivateTokenWhen a server receives a request
tabIdparameter is missing, then redirect the browser toGetTabId.html?referer=XwhereXis the current URL.tabIdis present but the authentication token is invalid or expired, then redirect the browser to the login screen.GetTabId.html
privateToken, copypublicTokenintoprivateToken.privateTokenandpublicTokenare undefined, redirect to the login page.refererwhich indicates where to redirect to on success.privateToken, append thetabIdparameter to therefererpage and redirect back to it.window.location.replace()when redirecting to removeGetTabId.htmlfrom the browser history.Why do we keep on deleting/adding cookies?
tabIdcookie on page load, then each time a tab would make a request all of the other tabs' cookies would get sent as well.Known issues
tabId. As result, it gets the source-code of the page which redirects toGetTabId.htmlinstead of the actual page.GetTabId.htmland back to the original page).Apologies for the long implementation details, but I could not find an easier/shorter solution.